Vulnerability in Chrome for Android Patched Three Years After Disclosure

A vulnerabilitiy recently patched by Google in Chrome for Android was an information disclosure bug that was originally reported in 2015, but not patched until the release of Chrome 70 in October 2018, security researchers say.

The issue is that the browser – along with WebView and Chrome Tabs for Android – discloses information about the hardware model, firmware version, and security patch level of the device it is installed on. Applications using Chrome to render web content are also impacted.

This behavior, however, is defined in the Chrome docs, which state that the Chrome for Android User Agent string includes the Android version number and build information. The information is also sent to apps using WebView and Chrome Tabs APIs, and, although an option is offered to override the default, most applications choose not to do so.

“Aggravating this issue is that the user agent header is sent always, with both HTTP and HTTPS requests, often by processes running in background. Also, unlike the desktop Chrome, on Android no extensions or overrides are possible to change the header other than the ‘Request Desktop Site’ option on the browser itself for the current session,” security researchers with Nightwatch Cybersecurity explain.

While many browsers have been long identifying the operating system and version on both desktop and mobile devices, the fact that the build tag (which identifies the device name and firmware build) is also disclosed represents the root cause of the issue, the researchers say.

They also argue that, for many devices, this build tag can be used to identify not only the device, but also the carrier and country. The information could also be used to determine the security patch level on the device.

The disclosed information, the researchers say, can be used to track users and fingerprint devices. Furthermore, attackers could use the information to learn whether specific devices contain certain vulnerabilities and target those with their exploits.

The security issue was initially reported to Google in 2015, but the vendor rejected the bug report. Chrome 70, however, arrived in October 2018 with a partial fix, hiding the firmware information but still revealing the hardware model identifier.

The security researchers believe that all prior versions of Chrome for Android are affected by the vulnerability and advise all users to upgrade to version 70 or later. Google continues to treat the issue as not being security related, and a CVE number hasn’t been issued, the researchers say.

When contacted about the issue in 2015, the vendor said all is working as intended. Last year, however, a new bug was filed by the vendor, along with a feature request, and Chrome 70 for Android brought the aforementioned partial fix, which only applies to the browser itself.